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FIG. 8 



Server_startup: THE FIRST TIME THIS IS 
CALLED, Sbank IS EQUAL TO ", WHICH 
CAUSES server.startup TO READ IN THE 
LIST OF BANKS, AND FORK OFF A CHILD 
FOR EACH BANK FOUND 



T 



Server_startup, ONCE IT HAS A BANK, 
READS IN ALL THE NAMES OF THE 
CONFIGURATION FILES FOUND IN THAT BANK 



806- 



808- 



Server_startup PARSES EACH CONFIG FILE 
NAME, GATHERING THE IP FROM THE 
NAME. IT THEN BUILDS A LIST OF IP'S 
TO CALL, AND RETURNS THIS TO THE 
CALLER, ALONG WITH THE NAME OF THE 
BANK (THE FIRST PARAMETER) 



X 



THE MAIN SERVER CODE STARTS A LOOP 
BASED ON THE LIST OF IP ADDRESSES 



810- 



816- 



81E 



FOR EACH IP ADDRESS FOUND IN THE 
LIST, THE MAIN SERVER CODE FIRST 
CHECKS TO SEE IF THIS IS A NEW 
CONFIG FILE BY LOOKING FOR THE 
WORD "ISAT.NEW" IN THE IP NAME 



THE MAIN SERVER CODE READS IN 

THE CONFIG FILE, BUILDING A 
CONFIG PACKAGE FOR THE AGENT 
(SEE CONFIG AGENT FLOW CHART) 



THE MAIN SERVER CODE STARTS A 
LOOP BASED ON THE LIST OF IP's 



( END ) 




THE MAIN SERVER CODE 
FORMULATES AN https 
GET REQUEST TO 

https://IP/?GOT_DATA, 

WHERE IP IS REPLACED 
WITH THE ACTUAL IP 

ADDRESS OF THE AGENT 



-812 



THE RETURN RESPONSE 

IS CHECKED. IF IT 
CONTAINS "NOCONFIG", 
THE SERVER CALLS THE 
agent_configuration API 
(SEE CONFIG AGENT 
FLOW CHART) 

LOOP 



-814 
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924- 



928- 
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FIG. 9 

902 -J AGENT MAIN DETECTS A POST METHOD CONTACT 
AND READS STANDARD IN FOR THE RECEIVED DATA 



904^ AGENT MAIN CALLS THE parse_post_dota API 

PASSING IN THE DATA READ IN FROM STANDARD IN 



THE parse_post_data API SIMPLY CALLS 
sensor_status_api, AND PASSES THE base64 
DECODED SENSOR PACKAGE TO THIS 



SENSOR STATUS API READS IN THIS DATA, AND 
WRITES OUT AN ENCRYPTED FILE IN 
908 -\. /opt/isatd/logs/, BY THE NAME OF internal.status, 
CONTAINING THIS DATA. SENSOR STATUS THEN 
RETURNS TO THE CALLER (RETURNING NOTHING) 

I 

910~v Parse_post_data THEN CALLS takedown_running_config 

T 

Takedown_running_config READS IN 
920 /opt/isotd/logs/.childpids, WHICH CONTAINS THE PID 
OF EACH CURRENTLY RUNNING CHILD (IF ANY) 



I 



API SENDS A KILL SIGNAL (2) TO EACH PID LISTED IN 
CHILDPIDS, CAUSING EACH PID TO FINISH WHAT IT IS 
DOING, THEN HALT AND GO INTO A WAIT STATE 



A KILL (1) IS SENT THE CURRENT PID ($$), CAUSING 

THE ENTIRE AGENT TRANSPORT TO RE-START 
COMPLETELY (KILLING OFF ANY EXISTING CHILDREN) 



I 



ON RE-START, agent_startup IS CALLED, THIS 
INTERNAL API READS 
926 /opt/isatd/logs/internal.status, DECRYPTING IT, 
AND PARSING OUT EACH SENSOR PACKAGE 



FOR EACH SENSOR PACKAGE FOUND IN THE 
internal.status FILE, A SEPARATE CHILD IS FORKED 
OFF, AND PASSED THE SENSOR PACKAGE TO RUN 



CD 
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FIG. 10 



AGENT MAIN PARSES THE MONOLITHIC SENSOR 
PACKAGE RECEIVED FROM THE SERVER, BREAKING 
IT INTO INDIVIDUAL SENSOR PACKAGES 



T 



FOR EACH SENSOR PACKAGE AGENT MAIN CALLS 
venfy_code_signature WITH THE ACTUAL BLOCK OF 
ENCRYPTED EXECUTABLE CODE AND IT'S ATTACHED 
CONFIG DATA AND SIGNATURE 



I 



Verify_code_signature PARSES THE INDIVIDUAL 
SENSOR PACKAGE, SEPARATING OUT 
CONFIGURATION DATA, ENCRYPTED SENSOR CODE, 
AND THE SIGNATURE OF THIS ENCRYPTED CODE 



Verify_code_slgnature PASSES THE ENCRYPTED 
SENSOR CODE, THE BUILT-IN PUBLIC CERTIFICATE 
TO VERIFY AGAINST AND THE ACTUAL SIGNATURE 
RECEIVED BY THE SERVER, TO SMIME 



T 



Verify_code_signature CHECKS THE RETURN STATUS 
FROM SMIME (THE ACTUAL BINARY THAT DOES THE 
SIGNATURE MATCHING). IF IT CONTAINS "SIGNATURE 
VERIFIED", THE API RETURNS BACK TO THE CALLER 
THE CONFIGURATION DATA IT PARSED OUT, AS WELL 
AS THE ENCRYPTED CODE BLOCK. IF THE SIGNATURE 
IS NOT VERIFIED, THE API RETURNS UNDEF 

I 



IF THE CALLER (AGENT MAIN) RECEIVES A SENSOR 

PACKAGE (DOES NOT RECEIVE UNDEF FROM 
verify_code_signature), IT WILL FORK OFF A CHILD 
TO HANDLE THIS SENSOR PACKAGE. THE PARENT WILL 
THEN LOOP TO HANDLE THE NEXT SENSOR IN LINE 



T 



THE CHILD RECEIVES THIS PACKAGE, AND DECRYPTS 

THE SENSOR, AND THEN PRE-PENDS THE 
CONFIGURATION DATA ONTO THE DECRYPTED SENSOR. 

THIS IS DONE EACH TIME THE SENSOR IS TO BE 
RUN, IN ORDER TO NOT LEAVE ANY DECRYPTED CODE 
IN MEMORY. THE TIMING FOR RUNNING THE SENSOR 
IS CONTROLLED BY THE TIMING STRING THAT HAS 
ALREADY BEEN SEPARATED OUT BEFORE 
verify_code_signature WAS CALLED 
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